Operation Triangulation: Previously unknown feature in iPhones exploited for spyware

A previously unknown spyware campaign targeting iPhones, believed to have been ongoing since 2019, has been found to exploit a previously unknown feature in chips designed by Apple Inc. to bypass hardware-based security protections.

Detailed today by researchers from Kaspersky Labs Inc. at the 37th Chaos Communication Congress, the campaign, dubbed “Operation Triangulation,” starts with a zero-click attack on Apple’s iMessage that uses four vulnerabilities on versions of iOS up to version 16.2. A zero-click attack is, as the name suggests, an attack that can infect a target device with no clicking from a user.

The attack involves those behind it sending a malicious iMessage attachment that the application processes without showing any signs to the user. The attack first exploits a remote code execution vulnerability, tracked as CVE-2023-41990, in a previously undocumented Apple-only ADJUST TrueType font instruction. The researchers note that the instruction has existed since the early 1990s but has only recently been removed in a patch.

Having gained access, the attackers can then exploit various vulnerabilities in iOS, including in the JavaScriptCore library environment, to execute a privilege escalation exploit in JavaScript. The exploit is obfuscated to make it unreadable and then exploits a debugging future to gain the ability to manipulate JavaScriptCore’s memory and execute application programming interface functions.

Other vulnerabilities exploited in the attack include the integer overflow vulnerability CVE-2023-32434, a Page Protection Layer bypass tracked as CVE-2023-38606, and a Safari exploit CVE-2023-32435. Ultimately, the exploit obtains root privileges and executes other stages, including loading spyware.

Attack chains can be technical, but the interesting step was the exploitation of CVE-2023-38606’s Page Protection Layer Bypass and how it was exploited. The Kaspersky researchers say it comes down to the attackers being “able to write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address and data hash to unknown hardware registers of the chip unused by the firmware.”

But what unknown hardware feature? Even the researchers are not sure.

“Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory or that it was included by mistake,” the researchers explain. “Because this feature is not used by the firmware, we have no idea how attackers would know how to use it.”

The researchers have published the technical details on the exploit, at least as much as they’ve gathered, in full so that other iOS researchers can confirm the findings and come up with possible explanations for how the attackers learned about an unknown hardware feature.

Image: DALL-E 3